laravel · taylorotwell · Apr 28, 2020 · Apr 14, 2020 · Apr 17, 2020 · Apr 17, 2020
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -36,7 +36,7 @@ jobs:
           coverage: none
 
       - name: Install dependencies
-        run: composer require "illuminate/contracts=${{ matrix.laravel }}" --prefer-dist --no-interaction --no-suggest
+        run: composer require "illuminate/contracts=${{ matrix.laravel }}" --prefer-dist --no-interaction
 
       - name: Execute tests
         run: vendor/bin/phpunit --verbose
diff --git a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php
@@ -18,6 +18,7 @@ public function up()
             $table->unsignedBigInteger('user_id')->nullable()->index();
             $table->string('name');
             $table->string('secret', 100)->nullable();
+            $table->string('provider')->nullable();
             $table->text('redirect');
             $table->boolean('personal_access_client');
             $table->boolean('password_client');

diff --git a/src/Bridge/Client.php b/src/Bridge/Client.php
@@ -16,22 +16,30 @@ class Client implements ClientEntityInterface
      */
     protected $identifier;
 
+    /**
+     * The client's provider.
+     *
+     * @var string
+     */
+    public $provider;
+
     /**
      * Create a new client instance.
      *
-     * @param  string  $identifier
-     * @param  string  $name
-     * @param  string  $redirectUri
-     * @param  bool  $isConfidential
-     * @return void
+     * @param string $identifier
+     * @param string $name
+     * @param string $redirectUri
+     * @param bool $isConfidential
+     * @param string|null $provider
      */
-    public function __construct($identifier, $name, $redirectUri, $isConfidential = false)
+    public function __construct($identifier, $name, $redirectUri, $isConfidential = false, $provider = null)
     {
         $this->setIdentifier((string) $identifier);
 
         $this->name = $name;
         $this->isConfidential = $isConfidential;
         $this->redirectUri = explode(',', $redirectUri);
+        $this->provider = $provider;
     }
 
     /**

diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php
@@ -37,7 +37,7 @@ public function getClientEntity($clientIdentifier)
         }
 
         return new Client(
-            $clientIdentifier, $record->name, $record->redirect, $record->confidential()
+            $clientIdentifier, $record->name, $record->redirect, $record->confidential(), $record->provider
         );
     }
 

diff --git a/src/Bridge/UserRepository.php b/src/Bridge/UserRepository.php
@@ -32,7 +32,7 @@ public function __construct(HashManager $hasher)
      */
     public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity)
     {
-        $provider = config('auth.guards.api.provider');
+        $provider = $clientEntity->provider ?: config('auth.guards.api.provider');
 
         if (is_null($model = config('auth.providers.'.$provider.'.model'))) {
             throw new RuntimeException('Unable to determine authentication model from configuration.');

diff --git a/src/Client.php b/src/Client.php
@@ -3,6 +3,7 @@
 namespace Laravel\Passport;
 
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\Auth;
 
 class Client extends Model
 {
@@ -49,7 +50,7 @@ class Client extends Model
     public function user()
     {
         return $this->belongsTo(
-            config('auth.providers.'.config('auth.guards.api.provider').'.model')
+            config('auth.providers.'.$this->provider ?: config('auth.guards.api.provider').'.model')
         );
     }
 
@@ -102,4 +103,14 @@ public function confidential()
     {
         return ! empty($this->secret);
     }
+
+    /**
+     * Get the client's provider.
+     *
+     * @return mixed
+     */
+    public function getProvider()
+    {
+        return $this->provider ? Auth::createUserProvider($this->provider) : null;
+    }
 }
diff --git a/src/ClientRepository.php b/src/ClientRepository.php
@@ -101,21 +101,23 @@ public function personalAccessClient()
     /**
      * Store a new client.
      *
-     * @param  int  $userId
-     * @param  string  $name
-     * @param  string  $redirect
-     * @param  bool  $personalAccess
-     * @param  bool  $password
-     * @param  bool  $confidential
+     * @param int $userId
+     * @param string $name
+     * @param string $redirect
+     * @param string|null $provider
+     * @param bool $personalAccess
+     * @param bool $password
+     * @param bool $confidential
      * @return \Laravel\Passport\Client
      */
-    public function create($userId, $name, $redirect, $personalAccess = false, $password = false, $confidential = true)
+    public function create($userId, $name, $redirect, $provider = null, $personalAccess = false, $password = false, $confidential = true)
     {
         $client = Passport::client()->forceFill([
             'user_id' => $userId,
             'name' => $name,
             'secret' => ($confidential || $personalAccess) ? Str::random(40) : null,
             'redirect' => $redirect,
+            'provider' => $provider,
             'personal_access_client' => $personalAccess,
             'password_client' => $password,
             'revoked' => false,
@@ -136,7 +138,7 @@ public function create($userId, $name, $redirect, $personalAccess = false, $pass
      */
     public function createPersonalAccessClient($userId, $name, $redirect)
     {
-        return tap($this->create($userId, $name, $redirect, true), function ($client) {
+        return tap($this->create($userId, $name, $redirect, null, true), function ($client) {
             $accessClient = Passport::personalAccessClient();
             $accessClient->client_id = $client->id;
             $accessClient->save();
@@ -146,14 +148,15 @@ public function createPersonalAccessClient($userId, $name, $redirect)
     /**
      * Store a new password grant client.
      *
-     * @param  int  $userId
-     * @param  string  $name
-     * @param  string  $redirect
+     * @param int $userId
+     * @param string $name
+     * @param string $redirect
+     * @param string|null $provider
      * @return \Laravel\Passport\Client
      */
-    public function createPasswordGrantClient($userId, $name, $redirect)
+    public function createPasswordGrantClient($userId, $name, $redirect, $provider = null)
     {
-        return $this->create($userId, $name, $redirect, false, true);
+        return $this->create($userId, $name, $redirect, $provider, false, true);
     }
 
     /**

diff --git a/src/Console/ClientCommand.php b/src/Console/ClientCommand.php
@@ -18,6 +18,7 @@ class ClientCommand extends Command
             {--password : Create a password grant client}
             {--client : Create a client credentials grant client}
             {--name= : The name of the client}
+            {--provider= : The name of the provider}
             {--redirect_uri= : The URI to redirect to after authorization }
             {--user_id= : The user ID the client should be assigned to }
             {--public : Create a public client (Auth code grant type only) }';
@@ -83,8 +84,16 @@ protected function createPasswordClient(ClientRepository $clients)
             config('app.name').' Password Grant Client'
         );
 
+        $providers = array_keys(config('auth.providers'));
+
+        $provider = $this->option('provider') ?: $this->choice(
+            'What provider should be used?',
+            $providers,
+            in_array('users', $providers) ? 'users' : null
+        );
+
         $client = $clients->createPasswordGrantClient(
-            null, $name, 'http://localhost'
+            null, $name, 'http://localhost', $provider
         );
 
         $this->info('Password grant client created successfully.');
@@ -136,7 +145,7 @@ protected function createAuthCodeClient(ClientRepository $clients)
         );
 
         $client = $clients->create(
-            $userId, $name, $redirect, false, false, ! $this->option('public')
+            $userId, $name, $redirect, null, false, false, ! $this->option('public')
         );
 
         $this->info('New client created successfully.');

diff --git a/src/Console/InstallCommand.php b/src/Console/InstallCommand.php
@@ -29,8 +29,9 @@ class InstallCommand extends Command
      */
     public function handle()
     {
+        $provider = in_array('users', array_keys(config('auth.providers'))) ? 'users' : null;
         $this->call('passport:keys', ['--force' => $this->option('force'), '--length' => $this->option('length')]);
         $this->call('passport:client', ['--personal' => true, '--name' => config('app.name').' Personal Access Client']);
-        $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client']);
+        $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client', '--provider' => $provider]);
     }
 }
diff --git a/src/Guards/TokenGuard.php b/src/Guards/TokenGuard.php
@@ -82,6 +82,24 @@ public function __construct(ResourceServer $server,
         $this->encrypter = $encrypter;
     }
 
+    /**
+     * Determine if the requested provider matches the client's provider.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function validateProvider(Request $request)
+    {
+        $client = $this->client($request);
+
+        // If not client provider is defined, fallback to old behavior.
+        if ($client && empty($client->getProvider())) {
+            return true;
+        }
+
+        return $client && $this->provider == $client->getProvider();
+    }
+
     /**
      * Get the user for the incoming request.
      *
@@ -90,6 +108,10 @@ public function __construct(ResourceServer $server,
      */
     public function user(Request $request)
     {
+        if (! $this->validateProvider($request)) {
+            return;
+        }
+
         if ($request->bearerToken()) {
             return $this->authenticateViaBearerToken($request);
         } elseif ($request->cookie(Passport::cookie())) {

diff --git a/src/Http/Middleware/CheckCredentials.php b/src/Http/Middleware/CheckCredentials.php
@@ -101,7 +101,7 @@ protected function validate($psr, $scopes)
     abstract protected function validateCredentials($token);
 
     /**
-     * Validate token credentials.
+     * Validate token scopes.
      *
      * @param  \Laravel\Passport\Token  $token
      * @param  array  $scopes

diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php
@@ -191,6 +191,8 @@ class BridgeClientRepositoryTestClientStub
 
     public $password_client = false;
 
+    public $provider = null;
+
     public $grant_types;
 
     public function firstParty()

diff --git a/tests/TokenGuardTest.php b/tests/TokenGuardTest.php
@@ -47,6 +47,7 @@ public function test_user_can_be_pulled_via_bearer_token()
         $userProvider->shouldReceive('retrieveById')->with(1)->andReturn(new TokenGuardTestUser);
         $tokens->shouldReceive('find')->once()->with('token')->andReturn($token = m::mock());
         $clients->shouldReceive('revoked')->with(1)->andReturn(false);
+        $clients->shouldReceive('findActive')->with(1)->andReturn(new TokenGuardTestClient);
 
         $user = $guard->user($request);
 
@@ -90,13 +91,18 @@ public function test_null_is_returned_if_no_user_is_found()
         $clients = m::mock(ClientRepository::class);
         $encrypter = m::mock(Encrypter::class);
 
+        $clients->shouldReceive('findActive')
+            ->with(1)
+            ->andReturn(new TokenGuardTestClient);
+
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter);
 
         $request = Request::create('/');
         $request->headers->set('Authorization', 'Bearer token');
 
         $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock());
         $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1);
+        $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1);
         $userProvider->shouldReceive('retrieveById')->with(1)->andReturn(null);
 
         $this->assertNull($guard->user($request));
@@ -110,6 +116,10 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
         $clients = m::mock(ClientRepository::class);
         $encrypter = new Encrypter(str_repeat('a', 16));
 
+        $clients->shouldReceive('findActive')
+            ->with(1)
+            ->andReturn(new TokenGuardTestClient);
+
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter);
 
         $request = Request::create('/');
@@ -138,6 +148,10 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
         $clients = m::mock(ClientRepository::class);
         $encrypter = new Encrypter(str_repeat('a', 16));
 
+        $clients->shouldReceive('findActive')
+            ->with(1)
+            ->andReturn(new TokenGuardTestClient);
+
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter);
 
         $request = Request::create('/');
@@ -270,6 +284,10 @@ public function test_csrf_check_can_be_disabled()
         $clients = m::mock(ClientRepository::class);
         $encrypter = new Encrypter(str_repeat('a', 16));
 
+        $clients->shouldReceive('findActive')
+            ->with(1)
+            ->andReturn(new TokenGuardTestClient);
+
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter);
 
         Passport::ignoreCsrfToken();
@@ -396,4 +414,7 @@ class TokenGuardTestUser
 
 class TokenGuardTestClient
 {
+    public function getProvider()
+    {
+    }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -37,7 +37,7 @@ public function getClientEntity($clientIdentifier) @@
             }
             return new Client(
-                $clientIdentifier, $record->name, $record->redirect, $record->confidential()
+                $clientIdentifier, $record->name, $record->redirect, $record->confidential(), $record->provider
             );
         }
@@ Expand Down @@